Kabisa Privacy Policy

Last updated: 15 July 2026

This Privacy Policy explains how Kabisa Electric Ltd. ("Kabisa", "we", "us"), and, for users in Kenya, its regional expansion entity Kabisa Kenya, collect, use, share, and protect your personal data when you use:

(together, the "Services").

Kabisa is the data controller for the personal data described here. We are registered with the Rwanda National Cyber Security Authority (NCSA) as a data controller under Law No. 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. In Kenya, the Services are operated by Kabisa Kenya, which complies with the Kenya Data Protection Act, 2019 and is registered with the Office of the Data Protection Commissioner (ODPC).

Contact / Data Protection Officer (DPO): Nicholas Hu — [email protected] Kabisa Electric Ltd. — Kabisa EV House, 1 KN 77 St, Kiyovu (below Camp Kigali), Kigali, Rwanda · Company ID 120732779 · Tel: 6420 / +250 793 897 974 Kabisa Kenya — Golf View Offices, Nairobi, Kenya

For how to exercise your rights step by step, see our Data Subject Rights page.

1. What we collect

We collect only what we need to run a charging network and let you pay for electricity:

We do not knowingly collect data from anyone under 18. The consumer- and driver-facing Services are for drivers and fleet operators; CPMS access is limited to Kabisa staff and station-operator partners.

2. Why we use it (purposes and legal bases)

PurposeData usedLegal basis
Create and secure your accountAccount, technical dataContract; legitimate interest (security)
Show nearby available chargersOn-demand locationConsent (device location permission)
Start, run, and bill charging sessionsVehicle, charging activity, walletContract
Process payments and top-upsPayment references, wallet ledgerContract; legal obligation (financial records)
Send service messages (e.g. charge complete, receipt)Contact detailsContract
Marketing messagesContact detailsSeparate opt-in consent — never bundled with signup; withdraw any time
Prevent fraud and abuse (e.g. SIM-swap protection, rate limits)Technical data, access logsLegitimate interest
Meet tax and accounting lawCDRs, wallet ledgerLegal obligation (RRA in Rwanda; KRA in Kenya)
Improve the ServicesAggregated, anonymised analyticsLegitimate interest

3. Who we share it with

We do not sell your personal data. We share it only with:

4. Where your data lives

Your data is hosted in Rwanda, or in a registered cross-border location in accordance with Rwandan law. Where personal data is transferred outside Rwanda (for example to a regional cloud data centre), the transfer is registered with the NCSA and protected by contractual safeguards. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), with encrypted in-region backups.

5. How long we keep it

DataRetention
One-time sign-in codes (OTP)Minutes — deleted after single use
Security and access logs90 days to 1 year
Account and profileLife of the account, plus a 30-day grace period after a deletion request
Charging sessions and CDRsKept as financial records — 10 years (Rwanda, RRA) / 5 years (Kenya, KRA) — and pseudonymised (unlinked from your identity) when you delete your account
Wallet ledgerKept for financial integrity; unlinked from your identity on account deletion
Support tickets2 years
AnalyticsAggregated or anonymised; raw events no more than 14 months
LocationNot stored — used on demand for the map only

6. Your rights

Under Rwanda's Law No. 058/2021 (and, in Kenya, the Data Protection Act 2019) you have the right to:

To exercise any right, contact [email protected]. We respond within the timelines the law sets. See our Data Subject Rights page for the detailed how-to, response times, and identity-verification process.

Account deletion: you can delete your account in the App (Profile → Delete account) or by visiting gokabisa.com/delete-account. Deletion removes your profile and sign-in identity after a 30-day grace period. Charging and payment records that the law requires us to keep as financial records are retained but pseudonymised — they can no longer be linked to you.

7. Security

We protect your data with encryption in transit and at rest, short-lived access tokens stored in your device's secure keystore, rate limiting on sign-in codes, re-verification on new devices before wallet actions, and a payment PIN for higher-value actions. If a breach is likely to put your rights at risk, we will notify the NCSA within 48 hours (ODPC within 72 hours for Kenya) and affected users without undue delay.

8. Cookies and similar technologies

The gokabisa.com website and the web/CPMS versions of the Services use strictly-necessary local storage to keep you signed in and remember your language — no advertising or cross-site tracking cookies. See our Cookie Policy for the full list and how to manage them.

9. Changes to this policy

We will post any changes here and update the date above. For material changes we will notify you in the App or by message before they take effect.

10. Contact

Kabisa Electric Ltd. (trading as Kabisa) — Company ID 120732779 Kabisa EV House, 1 KN 77 St, Kiyovu (below Camp Kigali), Kigali, Rwanda Tel: 6420 / +250 793 897 974

Kabisa Kenya (regional expansion entity) — Golf View Offices, Nairobi, Kenya

[email protected] · [email protected]